Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remote Code Execution (RCE) in SoyCMS #9

Closed
stypr opened this issue Sep 14, 2020 · 0 comments · Fixed by #14
Closed

Remote Code Execution (RCE) in SoyCMS #9

stypr opened this issue Sep 14, 2020 · 0 comments · Fixed by #14

Comments

@stypr
Copy link
Contributor

stypr commented Sep 14, 2020

Title

Remote Code Execution (RCE) in SoyCMS

Summary

Severity: High

SoyCMS 3.0.2 and earlier is affected by Remote Code Execution (RCE) using Unrestricted File Upload. Cross-Site Scripting(XSS) vulnerability that was reported earlier can be chained in order to perform a successful remote code execution by redirecting the administrator to load a specially crafted webpage.

Impact: XSS to RCE via Inquiry Error and Unrestricted File Upload

  • Attack vector is: Administrator must be logged in.
  • Components are: File Manager
  • Tested SoyCMS Version : 3.0.2 (latest)
  • Affected SoyCMS Version : ~3.0.2

Found by @stypr from Vulnerability Research Team in Flatt Security Inc.

Full Exploit Video: https://youtu.be/FWIDFNXmr9g

Cause

The file upload feature in FileManager is using elFinder. However, it was found out that mimetype can be fooled to upload a PHP file. There is no feature in elFinder to check the file type so it needs to be manually implemented.

$opts = array(
// 'debug' => true,
'roots' => array(
// Items volume
array(
'driver' => 'LocalFileSystem', // driver for accessing file system (REQUIRED)
'path' => $path, // path to files (REQUIRED)
'URL' => $url, // URL to files (REQUIRED)
//'trashHash' => 't1_Lw', // elFinder's hash of trash folder
'winHashFix' => DIRECTORY_SEPARATOR !== '/', // to make hash same to Linux one on windows too
'uploadDeny' => array('all'), // All Mimetypes not allowed to upload
'uploadAllow' => array('image', 'text/plain', 'text/css', 'application/zip', 'application/epub+zip','application/pdf'),// Mimetype `image` and `text/plain` allowed to upload
'uploadOrder' => array('deny', 'allow'), // allowed Mimetype `image` and `text/plain` only
'accessControl' => 'access' // disable and hide dot starting files (OPTIONAL)
),
)
);

array(
'driver' => 'LocalFileSystem',
'path' => $path,
//'startPath' => $site->getPath(),
'URL' => $url,
// 'treeDeep' => 3,
// 'alias' => 'File system',
'mimeDetect' => 'internal',
'tmbPath' => '.tmb',
'utf8fix' => true,
'tmbCrop' => false,
'tmbBgColor' => 'transparent',
'accessControl' => 'access',
'acceptedName' => '/^[^\.].*$/',
// 'disabled' => array('extract', 'archive'),
// 'tmbSize' => 128,
'attributes' => array(
//フロントコントローラー
array(
'pattern' => '/(index|im)\\.php(\\.old(\\.[0-9][0-9])?)?$/',
'read' => false,
'write' => false,
'locked' => true,
'hidden' => true,
),
)
// 'uploadDeny' => array('application', 'text/xml')
),

Remediation

Please add a file extension check from accessControl.

https://github.com/Studio-42/elFinder/blob/b3e92120a8657bdd263ad750dc9760c8d5aa2a89/php/connector.minimal.php-dist#L47-L59

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant